Jenkins Plugins ¶à¸öÇå¾²Îó²îΣº¦Í¨¸æ

Ðû²¼Ê±¼ä 2020-01-17

Îó²î±àºÅºÍ¼¶±ð


CVE±àºÅ£ºCVE-2020-2095£¬£¬£¬ £¬Î£ÏÕ¼¶±ð£ºÖÐΣ£¬£¬£¬ £¬CVSS·ÖÖµ£º¹Ù·½Î´ÆÀ¶¨

CVE±àºÅ£ºCVE-2020-2094£¬£¬£¬ £¬Î£ÏÕ¼¶±ð£ºÖÐΣ£¬£¬£¬ £¬CVSS·ÖÖµ£º¹Ù·½Î´ÆÀ¶¨

CVE±àºÅ£ºCVE-2020-2097£¬£¬£¬ £¬Î£ÏÕ¼¶±ð£º¸ßΣ£¬£¬£¬ £¬CVSS·ÖÖµ£º¹Ù·½Î´ÆÀ¶¨

CVE±àºÅ£ºCVE-2020-2096£¬£¬£¬ £¬Î£ÏÕ¼¶±ð£ºÖÐΣ£¬£¬£¬ £¬CVSS·ÖÖµ£º¹Ù·½Î´ÆÀ¶¨

CVE±àºÅ£ºCVE-2020-2091£¬£¬£¬ £¬Î£ÏÕ¼¶±ð£ºµÍΣ£¬£¬£¬ £¬CVSS·ÖÖµ£º¹Ù·½Î´ÆÀ¶¨

CVE±àºÅ£ºCVE-2020-2090£¬£¬£¬ £¬Î£ÏÕ¼¶±ð£ºµÍΣ£¬£¬£¬ £¬CVSS·ÖÖµ£º¹Ù·½Î´ÆÀ¶¨

CVE±àºÅ£ºCVE-2020-2093£¬£¬£¬ £¬Î£ÏÕ¼¶±ð£ºÖÐΣ£¬£¬£¬ £¬CVSS·ÖÖµ£º¹Ù·½Î´ÆÀ¶¨

CVE±àºÅ£ºCVE-2020-2092£¬£¬£¬ £¬Î£ÏÕ¼¶±ð£º¸ßΣ£¬£¬£¬ £¬CVSS·ÖÖµ£º¹Ù·½Î´ÆÀ¶¨

CVE±àºÅ£ºCVE-2020-2098£¬£¬£¬ £¬Î£ÏÕ¼¶±ð£º¸ßΣ£¬£¬£¬ £¬CVSS·ÖÖµ£º¹Ù·½Î´ÆÀ¶¨


Ó°Ïì°æ±¾


Amazon EC2 Plugin < 1.48

Robot Framework Plugin < 2.0.1

CloudBees Plugin < 3.0.1

Redgate SQL Change Automation Plugin < 2.0.5

Gitlab Hook Plugin <= 1.4.2

Sounds Plugin <= 0.5  


Îó²î¸ÅÊö


JenkinsÊÇÒ»¸ö¿ªÔ´Èí¼þÏîÄ¿£¬£¬£¬ £¬ÊÇ»ùÓÚJava¿ª·¢µÄÒ»ÖÖÒ»Á¬¼¯³É¹¤¾ß£¬£¬£¬ £¬ÓÃÓÚ¼à¿ØÒ»Á¬Öظ´µÄÊÂÇ飬£¬£¬ £¬Ö¼ÔÚÌṩһ¸ö¿ª·ÅÒ×ÓõÄÈí¼þƽ̨£¬£¬£¬ £¬Ê¹Èí¼þµÄÒ»Á¬¼¯³ÉÄð³É¿ÉÄÜ¡£¡£¡£¡£


Jenkins¹Ù·½Ðû²¼ÁËÆä6¸ö²å¼þµÄ9¸öCVEÏà¹ØÇ徲ͨ¸æ£¬£¬£¬ £¬ÏêÇéÈçÏ£º


Amazon EC2 Plugin Öб£´æCSRFÎó²î£¨CVE-2020-2090£©ºÍȱÉÙȨÏÞ¼ì²éÎó²î£¨CVE-2020-2091£©


Amazon EC2²å¼þ1.47ºÍ¸üÔç°æ±¾²»»áÔÚÖ´ÐÐ±íµ¥ÑéÖ¤µÄÒªÁìÖÐÖ´ÐÐȨÏÞ¼ì²é¡£¡£¡£¡£±ðµÄ£¬£¬£¬ £¬ÕâЩ±íµ¥ÑéÖ¤ÒªÁì²»ÐèÒªPOSTÇëÇ󣬣¬£¬ £¬´Ó¶øµ¼ÖÂCSRFÎó²î¡£¡£¡£¡£


Robot Framework Plugin Öб£´æXXEÎó²î£¨CVE-2020-2092)


Robot Framework Plugin 2.0.0¼°¸üÔç°æ±¾Ã»ÓÐÉèÖÃXMLÆÊÎöÆ÷À´±ÜÃâXMLÍⲿʵÌ壨XXE£©¹¥»÷¡£¡£¡£¡£


CloudBees Plugin µÄ Health Advisor Öб£´æCSRFÎó²î£¨CVE-2020-2093£©ºÍȱÉÙȨÏÞ¼ì²éÎó²î£¨CVE-2020-2094£©


CloudBees Plugin 3.0 ºÍ¸üÔç°æ±¾ÖÐµÄ Health Advisor ÔÚÖ´ÐÐ±íµ¥ÑéÖ¤µÄÒªÁìÖв»Ö´ÐÐȨÏÞ¼ì²é¡£¡£¡£¡£±ðµÄ£¬£¬£¬ £¬ÕâЩ±íµ¥ÑéÖ¤ÒªÁì²»ÐèÒªPOSTÇëÇ󣬣¬£¬ £¬´Ó¶øµ¼ÖÂCSRFÎó²î¡£¡£¡£¡£


Redgate SQL Change Automation Plugin Ã÷ÎĴ洢ƾ֤£¨CVE-2020-2095£©


Redgate SQL Change Automation Plugin 2.0.4¼°¸üÔç°æ±¾½«Î´¼ÓÃܵÄNuGet APIÃÜÔ¿´æ´¢ÔÚjob config.xmlÎļþÖУ¬£¬£¬ £¬×÷ΪÆäÉèÖõÄÒ»²¿·Ö¡£¡£¡£¡£


Gitlab Hook Plugin ±£´æ·´ÉäÐÍXSS£¨CVE-2020-2096£©


Gitlab Hook Plugin 1.4.2 ºÍ¸üÔç°æ±¾Ã»ÓÐתÒå build_now ÖÕ½áµãÖеÄÏîÄ¿Ãû³Æ¡£¡£¡£¡£


Sounds Plugin ±£´æCSRFÎó²î£¨CVE-2020-2098£©ºÍȱÉÙȨÏÞ¼ì²éÔÊÐí²Ù×÷ϵͳÏÂÁîÖ´ÐУ¨CVE-2020-2097£©


Sounds Plugin 0.5 ¼°¸üÔç°æ±¾²»ÔÚÖ´ÐÐ±íµ¥ÑéÖ¤µÄURLÖÐÖ´ÐÐȨÏÞ¼ì²é¡£¡£¡£¡£±ðµÄ£¬£¬£¬ £¬ÕâЩ±íµ¥ÑéÖ¤URL²»ÐèÒªPOSTÇëÇ󣬣¬£¬ £¬´Ó¶øµ¼ÖÂCSRFÎó²î¡£¡£¡£¡£


Îó²îÑéÖ¤


ÔÝÎÞPOC/EXP¡£¡£¡£¡£


ÐÞ¸´½¨Òé


ÏÖÔÚ³§ÉÌÒÑÐû²¼Éý¼¶²¹¶¡ÒÔÐÞ¸´Îó²î£¬£¬£¬ £¬²¹¶¡»ñÈ¡Á´½Ó£ºhttps://jenkins.io/security/advisory/2020-01-15/#descriptions¡£¡£¡£¡£

»º½â²½·¥£ºÎª»º½â±£´æÎó²îÉÐÎÞÐÞ¸´³ÌÐòµÄ²å¼þ£¬£¬£¬ £¬Çë²»Òª¶ÔÍ⿪·ÅJenkins£¬£¬£¬ £¬×öºÃJenkinsÓû§Õ˺ÅÖÎÀí£¬£¬£¬ £¬Èô·ÇÐëÒª£¬£¬£¬ £¬Çë½ûÓÃÊÜÓ°ÏìµÄ²å¼þ¡£¡£¡£¡£


²Î¿¼Á´½Ó


https://jenkins.io/security/advisory/2020-01-15/#descriptions